From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: reuben.m.work@gmail.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 5daea92e for ; Sat, 18 Nov 2017 23:50:59 +0000 (UTC) Received: from mail-wm0-f51.google.com (mail-wm0-f51.google.com [74.125.82.51]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 27702ca3 for ; Sat, 18 Nov 2017 23:50:59 +0000 (UTC) Received: by mail-wm0-f51.google.com with SMTP id 9so12542906wme.4 for ; Sat, 18 Nov 2017 15:55:39 -0800 (PST) MIME-Version: 1.0 In-Reply-To: References: From: Reuben Martin Date: Sat, 18 Nov 2017 17:55:38 -0600 Message-ID: Subject: Re: Another allowed-ips question To: Ryan Whelan Content-Type: multipart/alternative; boundary="001a1144255c12ce25055e4a97a0" Cc: WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --001a1144255c12ce25055e4a97a0 Content-Type: text/plain; charset="UTF-8" On Nov 18, 2017 5:44 PM, "Ryan Whelan" wrote: I'm working on a system where Wireguard machines can connect directly to one another as well as communicate with one another via an intermediary router (or 'server'). When 2 machines directly connect to one another, the allowed-ips setting is obviously a non-issue; what i'm struggling with is if they are unable to communicate directly and build routes to one another via an intermediary router (which is also connected to each 'client' via wireguard). Unless the 'server' NATs the traffic, the allowed-ips setting will prevent the 'clients' from communicating. Am i missing something? I'm trying to avoid building a wg interface for each peer connection if possible, but i'm failing to see any other way around it. Either NAT at the intermediary router or create an interface per-peer. Are there other options? I have something kinda similar. I set up vxlan connections overtop of the wireguard connections and added the vxlan interfaces to bridges. -Reuben --001a1144255c12ce25055e4a97a0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Nov 18, 2017 5:44 PM, "Ryan Whelan" <rcwhelan@gmail.com> wrote:
I'm working on a system wher= e Wireguard machines can connect directly to one another as well as communi= cate with one another via an intermediary router (or 'server').=C2= =A0

When 2 machines directly connect to one another, the= allowed-ips setting is obviously a non-issue; what i'm struggling with= is if they are unable to communicate directly and build routes to one anot= her via an intermediary router (which is also connected to each 'client= ' via wireguard).=C2=A0 Unless the 'server' NATs the traffic, t= he allowed-ips setting will prevent the 'clients' from communicatin= g.=C2=A0 Am i missing something?

I'm trying to= avoid building a wg interface for each peer connection if possible, but i&= #39;m failing to see any other way around it.=C2=A0 Either NAT at the inter= mediary router or create an interface per-peer.

Ar= e there other options?

I have something kinda similar. I set= up vxlan connections overtop of the wireguard connections and added the vx= lan interfaces to bridges.

-Reuben
--001a1144255c12ce25055e4a97a0--